b'                    ADVISORY MEMORANDUM REPORT ON\n\n                   SBA\xe2\x80\x99S COMPUTER SECURITY PROGRAM\n\n\n                       ADVISORY REPORT NUMBER A1-06\n\n                                SEPTEMBER 28, 2001\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC\n1905 and must not be released to the public or another agency without permission of the\nOffice of Inspector General.\n\x0c                    U.S. SMALL BUSINESS ADMINISTRATION\n                        OFFICE OF INSPECTOR GENERAL\n                            WASHINGTON, D.C. 20416\n\n\n                                                             MEMORANDUM ADVISORY\n                                                                   REPORT\n                                                            Issue Date: September 28, 2001\n                                                            Number: A1-06\nTo:            Lawrence E. Barrett\n               Chief Information Officer\n\n\n\n\nSubject:       Evaluation of SBA\xe2\x80\x99s Computer Security Program\n\n        The Government Information Security Reform Act (GISRA) requires that the\nInspector General perform an independent evaluation of the Small Business\nAdministration (SBA) information security program. This report presents the results of\nthat evaluation.\n\n\n                                    BACKGROUND\n\n        The Government Information Security Reform Act amended the Paperwork\nReduction Act (PRA) of 1995 and added a new subchapter on information security.\nGISRA focused on the program management, implementation and evaluation aspects of\nthe security of unclassified and national security systems. Generally, the Act codified\nexisting Office of Management and Budget (OMB) security policies, Circular A-130,\nAppendix III, the PRA, and the Clinger-Cohen Act of 1996. The SBA processes\nunclassified but sensitive information on its computer systems and is therefore subject to\nGISRA requirements. SBA operates or contracts for computer system services on 96\nhigh-priority computer systems that are the subject of GISRA.\n\n\n                  OBJECTIVES, SCOPE AND METHODOLOGY\n\n       The objective of our review was to evaluate SBA\xe2\x80\x99s computer security program\nand assess management controls over safeguarding of information in accordance with\nGISRA requirements. We reviewed prior audits issued by our office on selected\ninformation systems and considered the results of the information security controls\nevaluated as part of SBA\xe2\x80\x99s financial statement audit using the Federal Information\nSystem Controls Audit Manual (FISCAM) for fiscal years 1998, 1999 and 2000. We also\n\x0caugmented our prior audit coverage with independent evaluations of SBA\xe2\x80\x99s computer\nsecurity program to come to our conclusions on GISRA reporting areas.\n\n       Our assessment covered the 96 high priority systems identified by SBA and its\ncharacterization of the susceptibility of those systems to unauthorized access as of July\n31, 2001. As part of our evaluation, we accompanied Integrated Management Services\nIncorporated (IMSI), the contractor SBA hired to identify and assess sensitive SBA\nsystems. IMSI identified and assessed those systems that had not been previously\nreviewed during SBA\xe2\x80\x99s certification and accreditation reviews. During these\nassessments, we interviewed SBA program officials and others in the Office of the Chief\nInformation Officer (OCIO).\n\n       The results of our evaluation have also been reported in an OIG Executive\nSummary as requested by OMB in its Reporting Instructions for the Government\nInformation Security Reform Act (Memorandum 01-24). Our work was performed at\nSBA\xe2\x80\x99s Central Office in Washington, D.C. from June 1, 2001 through July 31, 2001.\nThis report covers those computer security program areas that we identified in the OIG\nExecutive Summary that need improvement or increased management emphasis. All\nareas where SBA maintains a satisfactory information security program are excluded\nfrom this report.\n\n\n                                    EVALUATION RESULTS\n\n        SBA generally maintains a satisfactory information security program for its high\npriority financial management and general support systems. Additionally, SBA has\ndeveloped and issued policies and procedures to address security protections agency-\nwide. However, SBA information security vulnerabilities continue to exist in computer\nsecurity system testing, computer security program monitoring, system access controls\nand disaster recovery and contingency planning. These vulnerabilities will require\ncontinued management emphasis in information security with the appropriate underlying\nresources to ensure that the security and continuity of SBA systems will be improved.\nWe are making recommendations to establish a security system testing program, upgrade\ncomputer security monitoring capabilities, strengthen access controls and fully implement\ndisaster recovery and contingency planning along with several other recommendations to\nstrengthen SBA\xe2\x80\x99s administration of the computer security program.\n\n\nFinding 1:       Improving SBA\xe2\x80\x99s Certification and Accreditation Program\n\n      As part of the GISRA evaluation, the OIG reviewed the Certification and\nAccreditation1 packages that have been completed for SBA systems. Certification and\n\n\n1\n Certification is the comprehensive evaluation of the technical and non-technical security features of a\nmajor application or general support system to measure compliance with security requirements, including\nall applicable Federal laws and regulations, and SBA policies and standards.\n\n\n                                                    2\n\x0cAccreditation packages include preparing risk assessments and security plans for SBA\nsystems. We identified the following areas that need improvement in SBA\xe2\x80\x99s\nCertification and Accreditation program.\n\nCompletion of Risk Assessments and Security Plans\n\n       System risk assessments and security plans have been completed for about 33 of\n95 Agency high-priority systems as part of the SBA Certification and Accreditation\nprogram. Additionally, three more risk assessments and two security plans are in\nprogress and the remaining risk assessments and security plans need to be completed.\n\nImplementing a Management Control Process\n\nThe OIG reviewed the risk assessments that have been completed as part of the\nCertification and Accreditation process. SBA OCIO had internally identified 122 risks to\nSBA systems, however, there was no management control process to identify which risks\nhad been corrected, mitigated or accepted without correction. Additionally, there was no\nestimated scheduled date to correct risks in the future or assign funding to correct a risk\nas part of SBA\xe2\x80\x99s Capital Asset Plan. Consequently, the lack of a formalized process could\nresult in these risks remaining uncorrected.\n\n       The following is a summation of the 122 risks for the risk assessments that OIG\nconsidered the most serious:\n\n         \xe2\x80\xa2    Eight of the 122 risks ranked as either \xe2\x80\x9chigh\xe2\x80\x9d or \xe2\x80\x9cmedium\xe2\x80\x9d were in\n              monitoring the security of SBA systems\n         \xe2\x80\xa2    Thirteen of the 122 risks ranked as either \xe2\x80\x9chigh\xe2\x80\x9d or \xe2\x80\x9cmedium\xe2\x80\x9d were related to\n              disaster recovery or contingency planning\n         \xe2\x80\xa2    Eighteen of the 122 risks ranked as \xe2\x80\x9cmedium\xe2\x80\x9d were related to weak system\n              access controls\n\nImplementing a Security Test and Evaluation Program\n\n       OIG identified that SBA does not have a Security Test and Evaluation (ST&E)\nprogram. While OCIO does have a ST&E procedure document, it has not been\nimplemented and used to test Agency general support systems and major applications.\nST&E testing by OCIO should be considered as part of the Certification process before a\nmajor application or general support system is implemented.\n\n\n\n\nAccreditation is the formal process whereby a responsible SBA official authorizes a major application or\ngeneral support system to operate based on: prescribed security safeguards, defined threats, vulnerabilities\nand an acceptable level of risk for which the accrediting official has assumed responsibility.\n\n\n                                                      3\n\x0cRecommendations:\n\n       We recommend that the Chief Information Officer:\n\n1A.    Complete risk assessments and system security plans for SBA\xe2\x80\x99s high-priority\n       systems that have been identified as needing risk assessments and security plans.\n\n1B.    Create a formalized management control process that identifies if risks have been\n       corrected, mitigated, accepted or need ongoing corrective action from the risk\n       assessments performed for SBA systems.\n\n1C.    Include in its management control process a schedule to correct the identified\n       deficiencies within the risk assessments including responsibilities, milestone dates\n       for completion, and funding requirements for inclusion in the Agency Capital\n       Asset Plan, Exhibit 53 to OMB.\n\n1D.    Correct, mitigate or accept the vulnerabilities identified in SBA\xe2\x80\x99s risk\n       assessments. The most severe vulnerabilities include security monitoring, access\n       controls, and disaster recovery and contingency planning.\n\n1E.    Develop a program to perform Security Test & Evaluation (ST&E) reviews on all\n       of SBA\xe2\x80\x99s high-priority computer systems.\n\n\nFinding 2:    Improving SBA\xe2\x80\x99s Computer Security Training Program\n\n        During the GISRA evaluation, OIG identified areas that need improvement in the\nSBA computer security-training program. While we note that the OCIO computer\nsecurity-training program satisfactorily trained a high percentage of the Agency\xe2\x80\x99s\ncomputer end-users through July 2, 2001, the following areas need improvement.\n\nEnsure Training of Designated Security Officers / Information Resource Managers\n\n      OCIO did not ensure that Designated Security Officers/Information Resource\nManagers (DSO/IRM) and back-ups completed the Computer Based Training Course for\nDSO/IRM. OIG identified that only 56 of 231 (24%) DSO/IRM and designated back-ups\ncompleted the SBA security-training course as of July 2, 2001.\n\nProvide In Depth Security Training to System Administrators\n\n        In a separate audit report, the OIG identified an individual who had operational\nsecurity duties for operating one of SBA\xe2\x80\x99s general support systems and did not have\nadequate platform-specific security training. Additionally, this individual was not aware\nof SBA Standard Operating Procedure \xe2\x80\x9cAutomated Information Systems Security\nProgram\xe2\x80\x9d (SOP 90-47). While the scope for that report was for only that general support\nsystem, more in depth platform specific security training is warranted Agency-wide.\n\n\n\n                                            4\n\x0cImprove Tracking and Follow-up Mechanisms for Computer Security Training\nCourses\n\n        OIG identified that the list of personnel taking the OCIO computer security\ntraining courses was not always accurate. This occurred because the tracking mechanism\nfor verifying which individuals took which training course was not accurate.\nAdditionally, SBA could not identify the universe of individuals who should have taken\nthe four training courses. Therefore, accurate follow-up by OCIO and agency program\nmanagers was hindered. Improving the tracking of who has taken the computer security\ntraining courses will allow SBA to identify the percentage of individuals who should be\ntaking the courses and allow for improved follow-up by agency managers.\n\nRecommendations:\n\n       We recommend that the Chief Information Officer:\n\n2A.    Identify agency personnel who should be required to undertake security training\n       as Designated Security Officers, Information Resource Managers and back-up\n       personnel; and require those individuals to take the course on DSO/IRM security\n       training.\n\n2B.    Identify and ensure that there is in depth training for those agency personnel who\n       perform significant security duties.\n\n2C.    Work with agency managers to fully identify the universe of agency personnel\n       who should be required to undertake security training as computer end-users,\n       Designated Security Officers and back-ups, Information Resource Managers, and\n       Program Managers.\n\n2D.    Improve the tracking mechanism for identifying who has taken each computer\n       security training course to ensure that all responsible individuals take the required\n       computer security training courses.\n\n\nFinding 3:     Update the Project Matrix Review\n\n        SBA last performed a formal Project Matrix Review in December 1999. It did\nnot, however, fully cover contractor provided services, nor identify all systems that use\nCommercial-Off-The-Shelf (COTS) software. Additionally, systems that contained\nsensitive information, but are not considered major applications were not within the\nscope of the original review. According to the Agency Computer Security Program\nManager, continuous updates to the Project Matrix Review occur, however, we have\nnoted that no formal update has been completed since 1999.\n\n        A Project Matrix Review is an internal review that lists the criticality and\nsensitivity of SBA high-priority systems. A Project Matrix Review allows agencies to\nidentify which systems should have Certification and Accreditation packages performed\n\n                                             5\n\x0cand in what order. A Project Matrix Review also aids in determining which systems\nshould be recovered and in what order for disaster recovery and contingency planning\npurposes.\n\nRecommendation:\n\n3A.    We recommend that the Chief Information Officer formally update the agency\n       Project Matrix to include major contractor provided services, Commercial Off-\n       The-Shelf (COTS) software, and systems that contain sensitive information but\n       are not considered major agency applications.\n\n\nFinding 4.    Improving Performance Measures Used by SBA\n\n       During the GISRA evaluation, OIG identified that certain performance measures\nreported to the Office of Management and Budget (OMB) need to be articulated or\nformalized to improve the SBA computer security program.\n\nRequiring Use of the Systems Development Methodology\n\n       The SBA Chief Information Officer has issued an internal procedure manual for\ndeveloping SBA systems. This manual known as the System Development Methodology\n(SDM) is an internal OCIO document and is not mandated by SBA Standard Operating\nProcedure (SOP). Therefore, the practices and procedures contained within the SDM are\nnot required by SBA policy and would not need to be followed by other SBA Offices in\nimplementing systems.\n\nPerformance Measures Used by the Chief Information Officer\n\n        According to SBA\xe2\x80\x99s GISRA report to OMB, the Chief Information Officer\nensures the effective implementation of the computer security program and evaluates the\nperformance of major agency components primarily by using internal and external\nreviews and audits. While we recognize that audits and reviews play a key role in\nevaluating the CIO\xe2\x80\x99s performance, we believe the CIO should develop internal\nperformance measures with the aid of other SBA offices to ensure that the CIO provides\nthe type of security, systems and services needed by the SBA.\n\nRecommendations:\n\n       We recommend that the Chief Information Officer:\n\n4A.    Update SBA\xe2\x80\x99s Standard Operating Procedure \xe2\x80\x9cAutomated Information Systems\n       Security Program\xe2\x80\x9d (SOP 90-47) to include the requirement for the Agency to\n       follow the Systems Development Methodology when developing or acquiring\n       new systems.\n\n\n\n\n                                           6\n\x0c4B.    Develop internal performance measures for SBA\xe2\x80\x99s Computer Security Program\n       and other aspects of the operations of the Office of the Chief Information Officer\n       to provide the type of security, systems, and services needed by SBA.\n\n\n                        SBA MANAGEMENT\xe2\x80\x99S RESPONSE\n\n      SBA\xe2\x80\x99s Chief Information Officer agreed with the recommendations. See\nAttachment 1 for the full text of his response.\n\n                                         ***\n      The findings included in this report are the conclusions of the Office of Inspector\nGeneral\xe2\x80\x99s Auditing Division. The findings and recommendations are subject to review,\nmanagement decision, and corrective action by your office in accordance with existing\nAgency procedures for audit follow-up and resolution.\n\n        Please provide us your management decision for each recommendation within 30\ndays. Your management decisions should be recorded on the attached SBA Forms 1824,\n\xe2\x80\x9cRecommendation Action Sheet,\xe2\x80\x9d and show either your proposed corrective action and\ntarget date for completion, or explanation of your disagreement with our\nrecommendations.\n\n       This report may contain proprietary information subject to the provisions of\n18 USC 1905. Do not release to the public or another agency without permission of the\nOffice of Inspector General.\n\n       Should you or your staff have any questions, please contact Robert G. Hultberg,\nDirector, Business Development Programs Group at (202) 205-7577.\n\nAttachments\n\n\n\n\n                                            7\n\x0c\x0c                                             REPORT DISTRIBUTION\n\n\n\nRecipient                                                                                            Number of Copies\n\nAdministrator ................................................................................................................. 1\n\nAssociate Deputy Administrator for Management and Administration ........................ 1\n\nGeneral Counsel ............................................................................................................ 2\n\nGeneral Accounting Office ............................................................................................ 1\n\nChief Financial Officer ................................................................................................. 1\n  Attention: Jeff Brown\n\x0c'